auday1982 wrote:

i know sessions more complicated than cookies , and i see some websites have pages on google with session expired

First off, Merry Xmas.

Sessions aren't that complicated, to start a session you put "session_start();" at the very top of the page or it'll error you.
To set a session put in "$SESSION['user']=$user;", you don't have to use "$user", if you're doing a login script the "$id" variable should be something like "$id=' ".$POST['user']." ' ", again, you need to use "user", and you can also skip the variable and just put it like "$SESSION['user']=' ".$POST['user']. " ' ". This is put into the login page, what you put in all the other pages
"if(isset(!$SESSION['user']))||(isset(!$SESSION['something else'])){header("Location: login.php")}"
if the session isn't set that script sends the user to the login page.

And i you only want to select data that the user has submit user "`user`` ='".$_SESSION['user']."' LIMIT 1" in the query.

So i hope you like and i hope i'm right as i'm not that advanced myself

EDIT: To quickly sum it up it should look something like this

<?
session_start();
$_SESSION['id']='".$_POST['id']."';
$_SESSION['user']='".$_POST['user']."';
?>
//Then on all the other pages it should look like
<?
session_start();
if(isset(!$_POST['id'])||isset(!$_POST['user'])){header("Location: .../login.php")};
?>

This is how i always put up my login script and it works fine, if you have more question just ask.

hi

thanks for the reply , it is cool that you explained the session the clear way

but one thing is not clear for me yet , where does the session go , in a php memory?

i see websites adding it to the url , and some seems to have it stored in a cookie ... so please explain to me where it is going

i only want to store 3 things ... user name , type of the user ( 1 is admin - 2 is normal user )

the admin will be able to edit posts and post new ones .. so the admin will see more links and can use them without new login everytime

thanks

The actual data contained in sessions are stored on the server's file system (usually in some temp folder, e.g. /tmp). The only thing stored in a cookie on the user's system (or, as you noted, propagated through the URL) is the session ID - a way to identify which session file belongs to which user.

Since the data itself is stored on the server, I consider sessions to be a bit more secure than cookies in the fact that the data cannot be altered/forged by a malicious user.

For example, if I'm a normal user and I login, say you use cookies and set a value "admin" equal to 0. What's to stop me from editing my cookie (a very simple process using the Web Developer addon for Firefox) and setting this "admin" value to 1? Your script wouldn't know the difference and would give me admin access as if you yourself had set the "admin" value to 1.

thanks man

that is very clear ... now i understand how the session things work

i know about sessions in urls is kind of predictable ... ppl can still do some calculations and add a session id ... and also the search engines hate it ...

i will keep learning more and more ... with the help of god and ppl like you ... i will do a learn a lot

thanks